| <!DOCTYPE html> |
| <html> |
| <head> |
| <meta http-equiv="Content-Security-Policy" content="img-src 'none'"> |
| <script> |
| if (window.testRunner) { |
| testRunner.dumpAsText(); |
| testRunner.waitUntilDone(); |
| } |
| |
| tests = 4; |
| window.addEventListener("message", function(message) { |
| tests -= 1; |
| test(); |
| }, false); |
| |
| function setup() { |
| // This is needed because isolated worlds are not reset between test |
| // runs and a previous test's CSP may interfere with this test. See |
| // https://crbug.com/415845. |
| testRunner.setIsolatedWorldInfo(1, null, null); |
| var img = document.getElementById('testimg'); |
| img.onload = function () { |
| alert('LOADED'); |
| window.postMessage("next", "*"); |
| }; |
| img.onerror = function () { |
| alert('BLOCKED'); |
| window.postMessage("next", "*"); |
| }; |
| test(); |
| } |
| |
| function test() { |
| function setImgSrc(num) { |
| var img = document.getElementById('testimg'); |
| img.src = "../resources/abe.png?" + num; |
| } |
| |
| alert("Running test #" + tests + "\n"); |
| switch (tests) { |
| case 4: |
| alert("Test in main world."); |
| setImgSrc(4); |
| break; |
| case 3: |
| alert("Test in isolated world without a CSP."); |
| testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setImgSrc")) + "\nsetImgSrc(3);"); |
| break; |
| case 2: |
| alert("Test in isolated world with lax CSP"); |
| testRunner.setIsolatedWorldInfo(1, 'chrome-extension://123', 'img-src *'); |
| testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setImgSrc")) + "\nsetImgSrc(2);"); |
| break; |
| case 1: |
| alert("Test in isolated world with restrictive CSP"); |
| testRunner.setIsolatedWorldInfo(1, 'chrome-extension://123', "img-src 'self'"); |
| testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setImgSrc")) + "\nsetImgSrc(0);"); |
| break; |
| case 0: |
| testRunner.setIsolatedWorldInfo(1, null, null); |
| testRunner.notifyDone(); |
| break; |
| } |
| } |
| </script> |
| </head> |
| <body onload='setup();'> |
| <p> |
| <img id="testimg"> |
| This test ensures that img-src checks respect the isolated world CSP |
| when the IsolatedWorldCSP feature is enabled and bypass the main world |
| CSP checks otherwise. |
| </p> |
| </body> |
| </html> |